Battling Goliath: An Analysis of the National Privacy Principles (Part I: Principles One to Four)

Posted on by Kartik Chawla

(Image Source: https://flic.kr/p/igPaVp)

This is the first in a two-part post on the National Privacy Principles(NPPs). This post provides with a bit of background, and then deals with Principles One through Four, while the next will deal with Principles Five through Nine. Footnotes are especially important. Disclaimers: The first post is a bit on the longer side. Feedback, comments, recommendations, are welcome. The second part is available here.

A Bit of Background

Most of the works of fiction use, and have perhaps always used, old and established plot devices. One of the most tried, tested, and overused plots is an underdog triumphing against the ‘giant’. This is illustrated quite concisely by the legend of David and Goliath (though there are disagreements here), where David of Israel is a normal human without armor and just a sling and five pebbles who fights and wins against Goliath, the giant of a man who is the champion of the Philistines.

The current dimension of debate around the concept of ‘privacy’ on the Internet is, arguably, a situation quite similar to that of this well know plotline. ‘David’ in this situation is us, the data subject, and Goliaths are the multitudes of companies with vested interests in collecting our information, for their own direct or indirect profit.

Therefore, most of the efforts towards ensuring privacy try to empower ‘David’ in order to enable ‘him’ to stand his own against the Goliaths. This is usually done by giving more power to the data subject through concepts like ‘notice’ and ‘consent’, by allowing them to check up on the data collector, by restricting the actions of the data controllers in order to make the arrangements regarding collection and use of information fair, and by try to make sure that the entire process, not just the data collection, is transparent.

In October 2012, the report of a Group of Experts committee constituted by the Planning Commission and headed by Justice AP Shah was released (referred to herein as the ‘Justice AP Shah Report’). After extensive research, the report came out with nine proposed National Privacy Principles, which according to the report were “the distillation of global best practices which can be effectively implemented in Indian conditions”. It must be noted here that these principles have no legal backing and are not enforceable. At the same time, even though they are not without critique, they have acquired a level of acceptance within the academic community.

This post tries to explain the nine National Privacy Principles of the AP Shah report, and uses the metaphor of one version (my version)[1] of the legend of David’s battle against Goliath. This metaphor is therefore used repeatedly in this post, with David referring to the data subjects or the information collected about them depending on the context.

While the principles 1-5 regulate the actions of the data controller with regards to the data subject, the principles 6-7 regulate the actions the data controller with regards to third parties, and principles 8-9 are concerned with the more general actions and liabilities of the data controller, beyond the specific relationship of the data controller and the data subject.

The Principles

  1. Principles One and Two: Notice, and Choice and Consent

Of the principles articulated in the Justice AP Shah report, the most important, in my opinion, are the first two: Notice and Consent. These principles are common to most regulations on privacy, though they vary in form, and are part of the quintessence of the concept itself. To my mind, the first logical step in the collection of any data about me is that I be notified about the extent and detail about the data that is being collected, and that it only be collected with my consent.

The principle of Notice, as Justice AP Shah’s report articulates it, mandates all data controllers to notify their information practices to all data subjects in a clear and concise manner before the former collect information from them. The report includes certain illustrations of what ‘such notices’ should include, and ‘other notices’.[2] This is essentially parallel to letting David know when and where the battle with Goliath is, and giving him other relevant information, so that he can prepare for it.

After notification, the second principle is that of Choice and Consent. The idea behind this principle is essentially that of natural justice – there should be no information collected about me that I do not consent to the collection of, and that I should have the choice to disagree. (unless it is the government, of course). Even in the legend, David’s battle with Goliath only happens with David’s consent, and he has a chance to withdraw it. Isn’t David lucky? (Note: There are a multitude of legends where the ‘David’ of the story doesn’t really get a choice, but they don’t really help the point here).

The Report specifies that a data controller must give its data subjects, the individuals themselves, a choice regarding the collection of data. Furthermore, consent is mandatory before the collection, processing, or disclosure of data to third parties. It also requires that the data subject be given the option of withdrawing consent.

The report, crucially, leaves open the question whether such consent is to be taken through the opt-in or the opt-out method. The opt-in method is based on the idea that the default is a lack of consent, and the data subjects must individually explicitly give consent before the data can be collected. The opt-out method is the exact opposite – this system assumes that the consent is implied, and data subjects must specifically deny consent. Thus, the users must themselves find out how to deny permission, the default being that the permission is implicit.

What this ends up meaning is that the data controllers meet the minimum requirements of ‘notice’, and use the opt-out method, getting consent by users who are not even aware of the specifics of the data collection, and practically hiding the fact that users have the option of opting out. The same has occurred quite a few times with Google and Facebook databases.[3] Thus, it’s the difference between David being asked “Do you want to fight Goliath?” and him being told “Oh, there’s a fight with Goliath in the morning, you need to be there” and then giving him a lecture with the fact that he’s the one doing the fight being mentioned somewhere in there. And taking that as consent. Like all ‘evil aunts’ and their ‘property deeds’ in Indian soaps (which I only know of because of my mother, I swear!).

According to the Report, explicit consent is not required in two instances. This is either when additional transactions on the collected data are performed within the limitations of the stated purpose, or when it is impossible to provide the service in question with choice and consent.

  1. Principles Three and Four: Collection Limitation and Purpose Limitation

The next two principles are two sides of the same coin: Collection Limitation and Purpose Limitation.

‘Collection Limitation’ states that data controllers should only collect that personal information which is necessary for the stated and notified objective which the data subject has consented to and no more, and this is to be done only through lawful and fair means. This principle tries to reduce the probability of misuse of the collected information.

‘Purpose Limitation’, being a counterpart to the above, mandates that the collected information shall only be used for the purposes that have been notified to and consented by the data subject. This principle further notes two crucial points:

  1. If there is a change of purpose, this must be notified to the individual, and, read with the earlier principles, consent must be taken again.
  2. Once the information has been used in accordance with the identified purpose, it should be destroyed in accordance with the set procedures. This addresses the issue of Data Retention, which has been discussed in earlier posts.

The first principle ensures that if David agrees to do battle with Goliath, that does not mean that he can therefore be asked to fight all the battles the Agency needs to fight. The second principle ensures that if David consents to fighting Goliath, and only that much, he isn’t made to do anything else under the same terms without notifications. (That is, his consent is limited to the fight. The merchandise deals come separately).

Within the ‘Issues and Developments’ noted with these principles, the Report makes a crucial note of the misuse of data that is currently prevalent, and referens to the Data Minimisation principle, which I will discuss in an upcoming post on Google’s new work in the field of privacy. Within the concept of ‘purpose limitation’ and the ‘data retention’ reference therein, the Report also makes a curious reference to the Right to be Forgotten.

[The second part of this series of posts is available here].

[1] This version deviates from the usual legend insofar as David has to fight against Goliath on behalf of the Agency, as part of a ritual that ensures the blessings of their God. Goliath is herein kept confined by the Agency. Also, in this story, souls are a thing. Only The Court has jurisdiction over all disputes involving souls.

[2]Such notices should include:

  1. a) During Collection
  • What personal information is being collected;
  • Purposes for which personal information is being collected;
  • Uses of collected personal information;
  • Whether or not personal information may be disclosed to third persons;
  • Security safeguards established by the data controller in relation to the personal information;
  • Processes available to data subjects to access and correct their own personal information;
  • Contact details of the privacy officers and SRO ombudsmen for filing complaints.
  1. b) Other Notices

 Data breaches must be notified to affected individuals and the commissioner when applicable.

 Individuals must be notified of any legal access to their personal information after the purposes of the access have been met.

 Individuals must be notified of changes in the data controller’s privacy policy.

 Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.”

[3] Some opt-out tools for various data collectors are available here:

  1. Network Advertisement Initiative Consumer Opt-out tool.
  2. 5 Ways to Opt Out of Data Collection, by Nicholas Pell, Your Security Resource.
  3. EFF: opting out of Facebook ads.